Security at Bluebricks

Bluebricks is built to help teams manage infrastructure with confidence. From architecture design to production controls, security, reliability, and accountability are foundational to how Bluebricks operates.

This page provides a high-level overview of Bluebricks' security practices. For audit reports, certifications, and detailed control documentation, please visit the Bluebricks Trust Center.

Compliance

Bluebricks is SOC 2 Type II certified and operates in alignment with GDPR requirements.

Compliance reports, audit letters, penetration test summaries, and security policies are available through the Bluebricks Trust Center.

How we approach security

Security at Bluebricks is embedded into product design and daily operations.

Our security program includes:

• Secure development practices embedded in the software development lifecycle (SDLC)

• Formal change management for production systems

• Annual independent SOC 2 audits

• Regular third-party penetration testing

• Continuous vulnerability scanning and monitoring

• Documented incident response, business continuity, and disaster recovery procedures

• Centralized audit logging across application and infrastructure layers

Product architecture and security model

Bluebricks is an infrastructure orchestration platform. It operates at the infrastructure layer and does not deploy, process, or inspect customer application data or business payloads.

Control plane (Bluebricks-managed)

The control plane is hosted and operated by Bluebricks. It:

• Manages orchestration logic, APIs, user interface, and audit history

• Stores infrastructure metadata and activity records

• Does not store customer application data or runtime traffic

Only infrastructure-related metadata required to plan and orchestrate changes is stored.

Orchestration plane (customer-controlled)

Infrastructure changes are executed inside customer-controlled cloud environments.

The orchestrator can run:

• As a fully managed SaaS runner

• As a self-hosted runner inside a customer's Kubernetes cluster

Execution is job-scoped and does not provide persistent access beyond the defined execution context.

All infrastructure actions are performed using permissions explicitly granted and scoped by the customer.

Secure development

Bluebricks follows a secure SDLC with controls spanning design, implementation, testing, and deployment.

• Production changes are reviewed, approved, and tracked through formal change management workflows

• Infrastructure changes are auditable and attributable to specific users and executions

• Orchestration definitions are versioned and tracked to prevent unauthorized modification

Infrastructure security

Bluebricks production systems are designed with layered security controls, including:

• Strict separation between production and non-production environments

• Network segmentation and controlled access boundaries

• Continuous monitoring and alerting

• Restricted administrative access

Hosting

Bluebricks infrastructure is hosted on major cloud providers, including AWS and Azure.

Primary hosting regions are located in Europe. Disaster recovery infrastructure is deployed in a separate region to support resilience and availability.

Infrastructure is deployed using cloud-native security controls and managed services.

Encryption and data protection

Bluebricks uses industry-standard encryption mechanisms to protect platform data.

• Data is encrypted at rest using cloud-provider managed encryption (e.g., AES-256)

• Data is encrypted in transit using TLS 1.2 or newer

• Encryption keys are managed using native cloud key management services (KMS) with restricted administrative access

Data access and scope

Bluebricks is designed to operate on infrastructure that customers fully control.

To provide core functionality, the platform may be granted access to:

• Cloud infrastructure resources (e.g., compute, networking, IAM policies)

• Git-based repositories for infrastructure-as-code references

• Configuration metadata required to plan and apply infrastructure changes

What Bluebricks does not access

• Customer application data

• Customer databases or business payloads

• Runtime application traffic

Data stored by Bluebricks

Bluebricks stores only the information required to operate the orchestration platform, including:

• Infrastructure metadata (blueprints, environments, orchestration state)

• Execution and activity logs (what occurred, when, and which platform user initiated it)

User identities are integrated with customer identity providers. Platform identifiers are used internally, and Bluebricks does not rely on email addresses as primary system identifiers.

Identity, authentication, and access control

Customer access

Bluebricks supports enterprise identity providers, including providers such as Azure AD and Okta.

• Single Sign-On (SSO) support

• SCIM-based user provisioning and deprovisioning

• Role-based access control (RBAC) enforcing least privilege at organization and environment levels

Orchestrator permissions

Customers explicitly define the permissions granted to the Bluebricks orchestrator.

• Permissions can be scoped to specific services, resources, or environments

• Customers may modify or revoke permissions at any time

• Execution rights can be limited to plan-only or apply-capable roles depending on configuration

Customer isolation

Bluebricks operates as a multi-tenant service with logical segregation between customer environments.

• Customer metadata is logically isolated

• Access boundaries are enforced through RBAC and tenant-aware services

• Infrastructure actions execute only within the customer's own cloud accounts

Network security

Production systems operate within private network environments.

• Administrative access is restricted and controlled

• Continuous monitoring and centralized logging support anomaly detection

• Security events are reviewed as part of ongoing operational monitoring

Penetration testing and vulnerability management

Bluebricks conducts regular third-party penetration testing.

Findings are tracked and remediated through formal remediation workflows. Summaries and reports are available through the Trust Center upon request.

Continuous vulnerability scanning is performed across infrastructure and dependencies.

Monitoring, logging, and auditability

Bluebricks continuously monitors production systems for availability and security events.

Audit logs capture:

• Authentication and access attempts

• Configuration and infrastructure changes

• Deployment and orchestration events

• System-level administrative actions

Logs support internal investigations, compliance reviews, and customer security assessments.

Resilience and disaster recovery

Bluebricks maintains documented business continuity and disaster recovery (BC/DR) plans.

• Production infrastructure is deployed with redundancy across availability zones

• Backups and recovery procedures are regularly tested

• Orchestration components operating inside customer environments can continue executing approved workflows even if the Bluebricks control plane is temporarily unavailable

AI usage

Bluebricks does not use customer data to train artificial intelligence or machine learning models.

Optional AI-assisted features may support infrastructure code generation workflows. These features:

• Require explicit customer opt-in

• Are disabled by default

• Do not use customer data for model training

Questions and contact

Security is an integral part of the Bluebricks platform design.

For compliance documentation, audit requests, or security-related questions, please visit the Bluebricks Trust Center or contact: security@bluebricks.co